|
Compliance with new
privacy
rules delayed until mid-2001
By Lucy
Lazarony • Bankrate.com
Folks keen to keep their personal
financial information private will have to wait.
It will be mid-2001 before the
privacy protections in the financial modernization bill, which was
signed into law by President Clinton in November 1999, take effect.
The law, known as the Gramm-Leach-Bliley Act,
gave federal regulators until mid-May to translate the financial
reform law into a comprehensive set of rules. Those rules were then
supposed to go into effect in November.
Instead, critics claim, the regulators rolled
back the timetable and weakened the law's impact.
Some
provisions watered down
And the law's privacy protections, which many consumer groups
and privacy advocates already view as "minimal," were watered down
further when federal regulators added an exception to the section
of the law that bans financial institutions from sharing account
numbers with third-party marketers.
"They've come back with what we consider an
enormous step back -- an entrenchment," says Dean Sagar, an aide
to U.S. Rep. John
LaFalce, D-N.Y.
But the biggest controversy by far surrounds
the decision to extend the compliance date on the privacy rules
from November 2000 to July 2001.
"The decision to delay is ridiculous. Banks
have more than enough time to comply with these rules," says David
Butler, a spokesman for Consumers
Union. "This is a stalling tactic."
The extension gives banks eight extra months
to post privacy policies and set up a system that allows consumers
to block banks from sharing their private financial information
with outside companies.
"It was a judgment call by the agencies as to
what would be a reasonable amount of time to get financial systems
up and running," says Stephanie Martin, managing senior counsel
at the Federal
Reserve Board. "It's sort of on the short side of what people
were asking for."
Under the Gramm-Leach-Bliley Act, a financial
institution must disclose its privacy policy when a consumer signs
on as a customer and at least once a year thereafter. Financial
institutions also must give consumers the chance to block the sharing
of "nonpublic" information, including transaction and customer experience
such as account balances, with third-party marketers.
Banks
wanted -- and got -- more time
Nearly every financial institution that sent comments to regulators
wanted more time to implement the rules. Time requests ranged from
six months to two years past the original deadline of Nov. 13, 2000.
"This is mainly an operations issue -- updating
computer systems, getting new software, training personnel," says
Catherine Pulley, a spokeswoman for the American
Bankers Association. "It's a very complicated rule."
Privacy rules for
financial institutions
|
|
Here are some things that a financial institution
will have to disclose to customers in its privacy policy:
The types of private financial information
that it collects.
The types of private financial information
it shares.
The types of companies with which it shares
or sells this information.
How it handles information on former customers.
An explanation of a consumer's right to
block the sharing of private financial information with
outside companies by opting out.
Exceptions to the opt-out requirement.
Its confidentiality policy and security
practices.
|
Sixteen consumer groups and more than 30 members
of Congress sent letters to federal agencies opposing the delay.
"You don't put it off for a year. You go ahead
and put it in place and work out the bugs," Sagar says.
"Our fear is banks are going to say, 'We have
another year to just collect and sell all the information that we
can and make all the money that we can.'
"As of mid-June, late June (2001), you can still
be selling people's information."
Exception
allows sharing of encrypted account numbers
Privacy advocates are also disappointed that regulators added
an exception to the section of the law that prevents financial institutions
from sharing account numbers with third-party marketers.
Regulators have decided that encrypted account
numbers, which many banks use as "internal identifiers," can be
shared with telemarketers. Without a key to unscramble the data,
telemarketers will not be able to make direct charges to customer
accounts.
The aim of the ban is to cut down on telemarketing
scams targeting bank customers.
Here's how a typical scam works. A consumer
agrees to sign on for a free trial offer for a product or service.
The telemarketer, armed with the customer's credit card account,
then charges the consumer for the product. Lots of times these freebies
never turn up. Some folks are charged even after refusing
the free offer. Consumers are left to decipher the extra charges
on their credit card statements while banks and telemarketing companies
share the profits.
"The banks were complicitous. They were turning
a blind eye because they were getting a cut of the sales," Sagar
says. "What's to stop that now? Nothing.
"A third party can't put charges through --
that's not the point. You're still linking marketing with bank accounts."
So well-informed telemarketers will still be
calling bank customers.
"I know you're a bank customer. I know you're
a cardholder. I know I can put a charge through. I just don't know
your card number," Sagar says. "If you give me any green light I'm
going to file the charges. It's just going to go through the bank."
A
law full of loopholes
Privacy advocates view the handling of encrypted account numbers
as one more loophole in a privacy law riddled with exceptions.
"It's another example of another loophole to
appease banks and to further limit the control that consumers have
over their private information," Butler says.
For example, a bank customer's right to block
information sharing with third-party marketers does not apply when
a bank has a joint marketing agreement with that company.
"The exceptions swallow the rule," says Ed Mierzwinski,
consumer program director of the U.S.
Public Interest Research Group.
"Any company that a bank really wants to do
business with it will have a joint marketing agreement. Opt-out
won't apply."
While the financial modernization law paves
the way for banks, brokerages and insurance companies to merge,
it places no restrictions on how customer information may be shared
among affiliates.
"There are a lot of gaps here. You can't opt
out of all disclosures. You can't opt out for affiliates," Martin
says. "Consumers will be able to opt out to some extent on some
disclosures, but certainly it's not a blanket on all the information
that's out there on consumers. It doesn't cover everything."
More
privacy laws up for debate
It's also important to realize that this is the first federal
law addressing financial privacy. There are bound to be more. The
debate is just beginning.
President Clinton outlined a number of additional
privacy protections in April. The president's proposal has been
introduced as H.R.
4380 by LaFalce, who is the ranking Democrat on the House Committee
on Banking and Financial Services. Sen. Patrick
Leahy, D-Vt., has introduced the proposal as S.
2513 in the U.S. Senate.
How far this bill will go in a Republican-controlled
Congress in the midst of an election year is unclear. One thing
is certain. This issue isn't going to go away anytime soon.
As Butler points out: "There are few things
that consumers take as seriously as the privacy of their personal
financial information."
-- Posted: May 24, 2000
|
